Are there any sources to the procedure how NSL's and other subpoenas / gag orders could be used to coerce certificate authorities to hand out their private keys? My guess is the risk for using root certificate of different company for MITM is too high: EFF's SSL observatory would detect it. I'm suprised there has been no leaks about such attacks: It's fairly easy to mitigate, transparent, long term, and extremely effective, even against PFS. Does anyone have guesses or information about how CA's handle their private keys? Are all certificates they sign for companies done on airgapped computers? How high are the security standards of these companies? Markus On 25.07.2014 23:13, grarpamp wrote:
---------- Forwarded message ---------- From: John Gilmore <gnu@toad.com> Date: Thu, Jul 24, 2014 at 8:36 PM Subject: Re: [Cryptography] hard to trust all those root CAs To: John Kelsey <crypto.jmk@gmail.com> Cc: "justgold79@gmail.com" <justgold79@gmail.com>, "cryptography@metzdowd.com" <cryptography@metzdowd.com>
For January, we have not received any Nation Security Letters this month. On the month you receive one, you stop putting such notices out, and sell t= he now-useless business.
Yeah, and the judge and prosecutor who get your case will be helpless before your clever skills at evading them, because they've never had to deal with literal-minded people trying transparent dodges to get around the law before.
NSL's don't involve a judge. Nor even a prosecutor. They are an investigative tactic, used by the FBI (or the FBI proxying for NSA), long before a prosecutor is usually involved.
The more likely it is that you will disclose a government request for snitching on your customers, the less likely it is that that request will ever arrive. Shining sunlight on spook activities is the best way to make them crawl back into their hole.
You will doubtless enjoy the same success as tax protesters do when they end up in court. And shortly thereafter, you'll enjoy an all-expenses-paid vacation with free room and board, courtesy of the US government.
Chuckle chuckle, just like the headlines about marijuana reform for decades. First they laugh at you, etc. But the joke doesn't excuse the iron fist you are trying to invoke to influence people. Mr. Kelsey, you usually don't fall to this level of "be afraid, the [government] terrorists are coming" propaganda.
Ladar Levison, Mr. Lavabit, the last guy to do exactly what was suggested, is still out walking the streets -- and starting new companies that offer to protect their customers from covert surveillance. As often occurs, the spooks were less interested in smashing a guy who's standing up for the rights of the public, than they were in preventing a detailed public airing of what they were up to when they ran into him.
John _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography